Due Diligence and Ongoing Monitoring

Hi everyone, we have been getting mixed feedback about how to manage some vendors where as an organization, we possibly serve more as a customer to the vendor such as lease finance vendors. For example, in this case, the "vendor" that we would have go through formal TPRM would be a vendor providing financial services for us.
How are other companies managing these types of external parties? Should they be excluded from the scope of a third-party management program for oversight?
Should it just be followed/managed for contractual terms and not treated as a vendor that may need to undergo due diligence (onboarding questionnaire, risk analysis, periodic audit/questionnaire)?

I wanted to see what others are doing and generally consider best practices for these types of vendors. Your input is truly appreciated. 

Hi Isabel, we had previously scoped these kinds of relationships out of TPRM but we recently had a regulator recommend that we scope in a specific relationship based on significance of the relationship.  For now we have only scoped in a single (regulator recommended) relationship as part of TPRM but will look to include other similarly significant relationships going forward.  I anticipate these will be exceptions rather than the rule, for the vast majority of similar relationships contractual terms I think are sufficient. 

Hope that helps,
Shelly

Hi everyone, we have been getting mixed feedback about how to manage some vendors where as an organization, we possibly serve more as a customer to the vendor such as lease finance vendors. For example, in this case, the "vendor" that we would have go through formal TPRM would be a vendor providing financial services for us.
How are other companies managing these types of external parties? Should they be excluded from the scope of a third-party management program for oversight?
Should it just be followed/managed for contractual terms and not treated as a vendor that may need to undergo due diligence (onboarding questionnaire, risk analysis, periodic audit/questionnaire)?

I wanted to see what others are doing and generally consider best practices for these types of vendors. Your input is truly appreciated. 

Hi Isabel, we had previously scoped these kinds of relationships out of TPRM but we recently had a regulator recommend that we scope in a specific relationship based on significance of the relationship.  For now we have only scoped in a single (regulator recommended) relationship as part of TPRM but will look to include other similarly significant relationships going forward.  I anticipate these will be exceptions rather than the rule, for the vast majority of similar relationships contractual terms I think are sufficient. 

Hope that helps,
Shelly

------------------------------
Shelly Chase
VP Operational Risk
------------------------------

Original Message:
Sent: 04-25-2023 04:19 PM
From: ISABEL GUERRERO
Subject: Formal Vendor Oversight/ Determining Vendors That Are In Scope and Out of Scope

Hi everyone, we have been getting mixed feedback about how to manage some vendors where as an organization, we possibly serve more as a customer to the vendor such as lease finance vendors. For example, in this case, the "vendor" that we would have go through formal TPRM would be a vendor providing financial services for us.
How are other companies managing these types of external parties? Should they be excluded from the scope of a third-party management program for oversight?
Should it just be followed/managed for contractual terms and not treated as a vendor that may need to undergo due diligence (onboarding questionnaire, risk analysis, periodic audit/questionnaire)?

I wanted to see what others are doing and generally consider best practices for these types of vendors. Your input is truly appreciated.